Build Enhancements for Docker

Estimated reading time:
7 minutes

Docker Build is one of the most used features of the Docker Engine - users ranging from developers, build teams, and release teams all use Docker Build.

Docker Build enhancements for 18.09 release introduces a much-needed overhaul of the build architecture. By integrating BuildKit, users should see an improvement on performance, storage management, feature functionality, and security.

Docker images created with buildkit can be pushed to Docker Hub and DTR just like Docker images created with legacy build

the Dockerfile format that works on legacy build will also work with buildkit builds

The new --secret command line option allows the user to pass secret information for building new images with a specified Dockerfile

Overriding default frontends

The new syntax features in Dockerfile are available if you override the default frontend. To override
the default frontend, set the first line of the Dockerfile as a comment with a specific frontend image:

New Docker Build secret information

The new --secret flag for docker build allows the user to pass secret information to be used in the Dockerfile for building docker images in a safe way that will not end up stored in the final image.

id is the identifier to pass into the docker build --secret. This identifier is associated with the RUN --mount identifier to use in the Dockerfile. Docker does not use the filename of where the secret is kept outside of the Dockerfile, since this may be sensitive information.

dst renames the secret file to a specific file in the Dockerfile RUN command to use.

For example, with a secret piece of information stored in a text file:

$ echo 'WARMACHINEROX' > mysecret.txt

And with a Dockerfile that specifies use of a buildkit frontend docker/dockerfile:1.0-experimental, the secret can be accessed.

Using SSH to access private data in builds

The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections. For more information
on SSH agent, see the OpenSSH man page.

Only the commands in the Dockerfile that have explicitly requested the SSH access by defining type=ssh mount have
access to SSH agent connections. The other commands have no knowledge of any SSH agent being available.

To request SSH access for a RUN command in the Dockerfile, define a mount with type ssh. This will set up the
SSH_AUTH_SOCK environment variable to make programs relying on SSH automatically use that socket.